Bug 168616 - oops when unplugging USB mass storage (flash memory stick)
oops when unplugging USB mass storage (flash memory stick)
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Pete Zaitcev
Brian Brock
: 169379 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-09-18 01:42 EDT by Russell Coker
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-21 22:44:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Russell Coker 2005-09-18 01:42:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Red Hat/1.0.6-1.4.2 Firefox/1.0.6

Description of problem:
The following happens on a Thinkpad T41p with Pentium-M CPU when the USB storage device is removed.  The device is not mounted or in use in any other way at the time.  This is repeatable and did not happen in kernel 2.6.12-1.1519_FC5.

The same problem occurs on a Compaq Desktop machine with 1.5GHz P4 CPU.  I have reproduced the problem with two memory sticks of different brand and size.

usb 1-4: USB disconnect, address 2
Unable to handle kernel paging request at virtual address 6b6b6bb3
 printing eip:
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: sd_mod video ibm_acpi button battery ac usb_storage scsi_mod uhci_hcd ehci_hcd radeonfb i2c_algo_bit parport_pc parport shpchp hw_random tpm_infineon tpm i2c_i801 i2c_core snd_intel8x0m snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e1000 floppy dm_crypt aes_i586 dm_snapshot dm_zero dm_mirror ext3 jbd dm_mod
CPU:    0
EIP:    0060:[<f0a97804>]    Not tainted VLI
EFLAGS: 00010286   (2.6.13-1.1555_FC5) 
EIP is at scsi_remove_device+0x2c/0x38 [scsi_mod]
eax: 00000001   ebx: ebdf5738   ecx: 00000000   edx: 6b6b6b6b
esi: eade82ac   edi: eade82ac   ebp: edb73cc4   esp: efeb0e84
ds: 007b   es: 007b   ss: 0068
Process khubd (pid: 106, threadinfo=efeb0000 task=eff3b030)
Stack: ebdf5738 ebdf532c f0a9788f edb73cc4 eade82b0 eade82ac eade82b4 f0a96a09 
       eade82ac f0a3eac0 f0a3eae0 ed45d26c f0a8f3a2 eade8594 f0a3eac0 f0a2f83b 
       ee68113c c02868b5 ee6811f8 ee681150 c023e13a ee681150 ed45d2e0 00000000 
Call Trace:
 [<f0a9788f>] __scsi_remove_target+0x7f/0xb6 [scsi_mod]
 [<f0a96a09>] scsi_forget_host+0x37/0x5c [scsi_mod]
 [<f0a8f3a2>] scsi_remove_host+0x3d/0x7a [scsi_mod]
 [<f0a2f83b>] storage_disconnect+0xe/0x16 [usb_storage]
 [<c02868b5>] usb_unbind_interface+0x34/0x60
 [<c023e13a>] __device_release_driver+0x4c/0x64
 [<c023e17c>] device_release_driver+0x2a/0x38
 [<c023dad4>] bus_remove_device+0x4f/0x5d
 [<c023ce13>] device_del+0x2b/0x5b
 [<c028d9da>] usb_disable_device+0xbb/0x108
 [<c0288bc8>] usb_disconnect+0xaa/0x14c
 [<c0289a4a>] hub_port_connect_change+0x51/0x393
 [<c028a003>] hub_events+0x277/0x3bc
 [<c028a148>] hub_thread+0x0/0xe5
 [<c028a15c>] hub_thread+0x14/0xe5
 [<c012dd26>] autoremove_wake_function+0x0/0x37
 [<c012d90b>] kthread+0x87/0x8b
 [<c012d884>] kthread+0x0/0x8b
 [<c01012fd>] kernel_thread_helper+0x5/0xb
Code: 53 89 c3 8b 30 ba 66 00 00 00 b8 05 cc a9 f0 e8 e5 0f 68 cf e8 0c 41 88 cf ff 4e 48 0f 88 a4 03 00 00 89 d8 e8 73 ff ff ff 8b 13 <ff> 42 48 0f 8e 9f 03 00 00 5b 5e c3 55 57 56 53 89 c5 8b 98 b8 

Version-Release number of selected component (if applicable):
kernel 2.6.13-1.1555_FC5

How reproducible:

Steps to Reproduce:
Plug in USB device, wait 30 seconds for it to finish scanning for partitions etc, then unplug it and get an Oops.

Additional info:
Comment 1 Pete Zaitcev 2005-09-18 01:56:49 EDT
This is a known problem which 1.1455 imported from upstream.
The fix appears known, and I saw James accepting all 3 patches.
So, I wasn't going to do anything special about it.
It will be gone in -rc2, most likely.

See this (has all three patches attached):
Comment 2 Pete Zaitcev 2005-09-18 01:59:00 EDT
I meant 1.1555 above. Anyway, use a previous kernel for now. 1.1542 seems ok.
Comment 3 Steve Grubb 2005-09-19 06:23:08 EDT
This problem still exists in 2.6.13-1.1558_FC5. I just got a segfault on an
x86_64 UP kernel. One other item, before the segfault, I got this:

Sep 19 18:18:54 localhost udevd[643]: get_netlink_msg: no ACTION in payload
found, skip event 'umount'
Sep 19 18:18:57 localhost kernel: usb 3-1: USB disconnect, address 2
Sep 19 18:18:57 localhost kernel: general protection fault: 0000 [1] SMP
Sep 19 18:18:57 localhost kernel: CPU 0
Sep 19 18:18:57 localhost kernel: Pid: 97, comm: khubd Not tainted
2.6.13-1.1558_FC5 #1
Sep 19 18:18:57 localhost kernel: RIP: 0010:[<ffffffff882df808>]
Sep 19 18:18:57 localhost kernel: RSP: 0000:ffff8100379edc98  EFLAGS: 00010292
Sep 19 18:18:57 localhost kernel: RAX: 6b6b6b6b6b6b6b6b RBX: ffff8100328e4a60
RCX: 0000000000000001
Sep 19 18:18:57 localhost kernel: RDX: ffff8100328e4a58 RSI: ffffffff8020185f
RDI: 6b6b6b6b6b6b6beb
Sep 19 18:18:57 localhost kernel: RBP: ffff81003381c178 R08: 0000000000000000
R09: ffff8100328e4a60
Sep 19 18:18:57 localhost kernel: R10: 00000000ffffffff R11: ffffffff882dfe6c
R12: ffff81003381c208
Sep 19 18:18:57 localhost kernel: R13: ffff81003381c188 R14: ffff81003698eb08
R15: 0000000000000100
Sep 19 18:18:57 localhost kernel: FS:  00002aaaab015f70(0000)
GS:ffffffff80554800(0000) knlGS:0000000000000000
Sep 19 18:18:57 localhost kernel: CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
Sep 19 18:18:57 localhost kernel: CR2: 00007fffffa32e30 CR3: 00000000322ed000
CR4: 00000000000006e0
Sep 19 18:18:57 localhost kernel: Process khubd (pid: 97, threadinfo
ffff8100379ec000, task ffff810037e15140)
Sep 19 18:18:57 localhost kernel: Stack: ffff8100328e4a60 ffff81003381c188
ffff810032f00f60 ffffffff882dfaf5
Sep 19 18:18:57 localhost fstab-sync[2132]: removed mount point /media/flash for

There's more if you want it.
Comment 4 Dave Jones 2005-09-21 22:44:52 EDT
should be fixed in latest builds.
Comment 5 Pete Zaitcev 2005-09-27 15:45:21 EDT
*** Bug 169379 has been marked as a duplicate of this bug. ***
Comment 6 Pete Zaitcev 2005-09-27 15:48:48 EDT
Ralf says 1.1578 still has it (on ppc at least).
Comment 7 Ralf Ertzinger 2005-09-29 19:25:21 EDT
1.1582 seems to behave itself.

Note You need to log in before you can comment on or make changes to this bug.